Health system's data breach insurance claims get challenged

What happens when a health system with liability insurance fails to secure protected health information of its patients and is hit with a $4.13 million class action settlement for it? The civil actions of one insurance company are suggesting the claims money doesn't come easy if you fail to follow minimum required security practices.

The three-hospital Cottage Health System in California back in December 2013 notified 32,755 of its patients whose protected health information had been compromised after the health system and one of its third-party vendors, inSync, stored unencrypted medical records on a system accessible to the Internet. Resultantly, the data may have been publicly available on search engines like Google.

The health system, which had a liability policy with Columbia Casualty Company, is now being challenged by the insurance company in court. The Chicago-based insurance company, which operates as a subsidiary of Continental Casualty Company, is challenging the claims of Cottage Health System, which thus far total nearly $4.13 million settlements filed by patients, saying the health system "provided false responses" to a risk control self assessment when it applied for a liability policy.

Columbia officials in a complaint filed this May point to an exclusion pertaining to failure to follow minimum required practices. This exclusion, they write, "precludes coverage for any loss based upon, directly or indirectly, arising out of, or in any way involving '(a)ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application.'"

The health system's data breach, as Columbia officials allege, was caused by Cottage's "failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network."

In its application for the liability policy, Cottage Health System made "misrepresentations" regarding its security practices, and as such, Columbia is seeking reimbursement from the health system for the full $4.13 million that it had paid to Cottage thus far, in addition to attorney fees and related expenses.

In part of the application, Cottage answered "yes" to performing due diligence on third-party vendors to ensure their safeguards of protecting data are adequate; auditing these vendors at least once per year and requiring these third-party vendors have "sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality." The vendor who contributed to the data breach, inSync, according to the complaint, does not have sufficient assets or insurance that covers the breach.